#
# This module contains SAINT-US code from WWDSI which is regulated in
# accordance with the distribution file LICENSE.WWDSI. 
#
# Rules that deduce new facts from existing data. Each rule is executed once
# for each 'a' SAINT record. The rule format is:
#
#	condition TABs fact
#
# The condition is a PERL expression that has full access to the global
# $target..$text variables, to functions, and to everything that has been
# found sofar. The fact is a SAINT record. 
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
#
# version 1, Sun Mar 19 10:32:57 1995, last mod by zen
#
#
# Assume rexd is insecure without even trying
#
/runs rexd/ && /(?!world)/	$target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable

# SENDMAIL SECTION ;-)
#
# assume berkeley versions of sendmail < 8.8.5 are hosed:
/[Ss]endmail\s+(\S+\s+)?(SMI-)?([0-9])\.([0-9x]+)(\.)?([0-9]*)/ && ($3<8 || ($3==8 && $4<8) || ($3==8 && $4==8 && $6<5)) \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|Vulnerable Sendmail version: $3.$4$5$6

# other sendmail versions

# HP
/HP Sendmail \(1\.37\.109\.11/ \
		$target|assert|a|bo|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail version buffer overflow

#
# Sequent/DYNIX; if <= 5.65, broken...
/[Ss]endmail (5\.[0-9]+)/ && $1 <= 5.65 && /DYNIX/ \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|DYNIX Sendmail, pre 5.65

#
# MMDF smtp servers
/220 \S+ Server SMTP \(/ \
		$target|smtp|a|zcio|ANY@$target|ANY@$target|MMDF vulnerability|possible vulnerability in MMDF

# POP2 servers (pop3 is checked in bin/pop3.sara)
/OK/ && /pop-2/		$target|pop|a|zwoi|ANY@target|ANY@target|pop version|pop version may be vulnerable to buffer overflow

#POP Server with MD5 Authentication
/POP/ && /(?!MD5)/	$target|pop|a|zwoi|ANY@target|ANY@target|POP server|pop receives password in clear
#
# OTHER PROBLEMS
#
# 220 wuarchive.wustl.edu FTP server (Version wu-2.4(1) Mon 
/ftp.*\(version wu-2.([0-9]+)/i && $1 < 4 \
		$target|ftp|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp pre 2.4
/ftp.*\(version wu-2.([0-9]+)/i && $1 == 4 \
		$target|ftp|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp 2.4
/ftp.*\(version wu-2.([0-9]+)/i && $1 == 5 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp 2.5
/ftp.*\(version wu-2.6.0/i  \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp 2.6
/220 ProFTPD 1\.2\.0pre([0-9]+)/i && $1 < 2 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|ProFtp pre 1.2.0pre2
/220 ProFTPD 1\.([0-9]+)/i && $1 < 2 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|ProFtp pre 1.2.0
/FTP server \(BeroFTP/i \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|BeroFTP
/220/ && /Version ([0-6]\.[0-9]+)\/OpenBSD/ && $1 < 6.5 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|OpenBSD ftpd pre 6.5
/FTP server \(Version 4\.3/ \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|AIX ftpd buffer overflow
/FTP server \(Version 1\.7\.212\.([0-9]+)/i && $1 < 3 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|HP-UX 10.x ftpd buffer overflow
/FTP server \(Version 1\.1\.214\.([0-9]+)/i && $1 < 6 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|HP-UX 11.00 ftpd buffer overflow
#
# Hacker program bnc (irc proxy)
#
/NOTICE/ && /quote PASS/	$target|hacker|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised.

# a modem on a port?  Surely you jest...
/AT\\[nr].*OK\\[nr]/	$target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|Unrestricted modem on the Internet

# Looking for unique Windows signature in netbios-ssn
/\\131\\000\\000\\001\\143/	$target|DOS|a|zcio|ANY@$target|ANY@$target|Windows detected|Is your Windows patched for DoS?

# Look for chargen (udp) as possible fraggle host (Denial of Service)
/chargen:UDP/		$target|DOS|a|zcio|ANY@$target|ANY@$target|Possible fraggle problem|chargen could be used in DoS attack

# Look for amd vulnerability
/runs amd/		$target|amd|a|zcio|ANY@$target|ANY@$target|amd buffer overflow|amd may be vulnerable to buffer overflow

# Look for SGI fam vulnerability
/runs sgifam/		$target|sgifam|a|yi|ANY@$target|ANY@$target|SGI fam vulnerability|SGI fam may be vulnerable

# Look for SGI objectserver
# (now done from irix.saint)
#/offers 5135:UDP/	$target|objectserver|a|zcio|ANY@$target|ANY@$target|objectserver vulnerability|objectserver daemon may be vulnerable

# Look for SGI Performance Copilot
/offers 4321:TCP/	$target|pmcd|a|zcio|ANY@$target|ANY@$target|Performance Copilot|SGI Performance Copilot may be vulnerable

# Look for SCO UnixWare i2odialogd
/offers 360:TCP/	$target|i2odialogd|a|zcio|ANY@$target|ANY@$target|UnixWare i2odialogd|Possible buffer overflow in UnixWare i2odialogd

# Look for rpc.nisd vulnerability
/runs nisd/		$target|nisd|a|zcio|ANY@$target|ANY@$target|nisd vulnerability|nisd may be vulnerable to buffer overflow

# Look for Gauntlet/WebShield cyberdaemon vulnerability
/offers 8999:TCP/	$target|cyberdaemon|a|zcio|ANY@$target|ANY@$target|Gauntlet WebShield cyberdaemon|Gauntlet or WebShield cyberdaemon may be vulnerable
/offers 8999:UDP/	$target|cyberdaemon|a|zcio|ANY@$target|ANY@$target|Gauntlet WebShield cyberdaemon|Gauntlet or WebShield cyberdaemon may be vulnerable

# Look for HP Openview vulnerabilities
/offers 2345:TCP/	$target|openview|a|zcio|ANY@$target|ANY@$target|HP Openview vulnerabilities|Possible vulnerability in Openview Node Manager
/offers 5555:TCP/	$target|openview|a|zcio|ANY@$target|ANY@$target|HP Openview vulnerabilities|Possible vulnerability in HP Omniback

# Big Brother web server
/offers 1984:TCP/	$target|bbd|a|zcio|ANY@$target|ANY@$target|http cgi access|Possible vulnerability in Big Brother (bbd)

# IRIX telnetd
/offers telnet/ && HOSTTYPE =~ /IRIX/i	$target|telnet|a|zcio|ANY@$target|ANY@$target|IRIX telnetd|Possible vulnerability in IRIX telnetd
/telnet on port (\d+)/ && HOSTTYPE =~ /IRIX/i	$target|telnet|a|zcio|ANY@$target|ANY@$target|IRIX telnetd|Possible vulnerability in IRIX telnetd port $1

# Look for NetBus
# (this and other backdoors are also in backdoors.saint, repeated
# here so it will be found on other ports)
/NetBus/		$target|backdoor|a|ht|ANY@$target|ANY@$target|backdoor found|Possible NetBus backdoor found

# Look for Kerberos
/offers klogin/		$target|kerberos|a|zcio|ANY@$target|ANY@$target|Kerberos detected|Is your Kerberos secure?
/offers kshell/		$target|kerberos|a|zcio|ANY@$target|ANY@$target|Kerberos detected|Is your Kerberos secure?
/offers kpopd/		$target|kerberos|a|zcio|ANY@$target|ANY@$target|Kerberos detected|Is your Kerberos secure?

# Look for distributed denial-of-service tools
/offers 27665:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible trinoo master detected
/offers 16660:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible stacheldraht handler detected
/offers 20432:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible shaft handler detected
/offers 6723:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible mstream handler detected
/offers 15104:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible mstream handler detected
/offers 12754:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible mstream handler detected

